Russian Hackers Behind Attack PDFs

A notorious Russian hacker gang is responsible for ongoing attacks using malicious PDF documents, a researcher said Wednesday.

Users can thank the Russian Business Network (RBN), a well-known collective of cybercriminals, for the malware-armed PDF attachments that began appearing in in-boxes Tuesday, said Ken Dunham, director of response for iSight Partners Inc. If the rigged PDFs succeed in infecting the target Windows system, the attack code installs a pair of rootkit files that "sniff and steal financial and other valuable data," said Dunham via e-mail.

The rogue PDF documents are attached to spammed e-mail and arrive with filenames such as BILL.pdf, YOUR_BILL.pdf, INVOICE.pdf or STATEMET.pdt, said Symantec Corp. in a separate advisory Tuesday. They exploit the "mailto:" protocol vulnerability disclosed more than a month ago by U.K.-based researcher Petko Petkov.

When recipients open the attacking PDF, it launches a Trojan horse dubbed "Pidief.a" that knocks out the Windows firewall and then downloads another piece of malware to the compromised computer. That second piece of attack code is a dedicated downloader that, in turn, retrieves the two rootkit files from a pair of RBN-controlled servers and drops them onto the hacked PC.

According to Dunham, the RBN servers and the rootkit files are familiar to researchers. "[They] are the same as those used in zero-day Vector Markup Language (VML) attacks from September 2006," he said. The VML vulnerability, disclosed early that month, was so aggressively exploited that a group of security professionals issued an unsanctioned patch, prompting Microsoft to release one of its rare out-of-cycle fixes in late September.

Adobe Systems Inc. fixed the flaw Monday and released updated 8.1.1. editions of both Reader and Acrobat that plug the hole. Users of older versions of the popular programs must either upgrade to 8.1.1 or apply one of the temporary work-arounds that Adobe provided to stifle attacks. On Monday, Adobe did say that it would update Adobe Reader 7.0.9 and Acrobat 7.0.9 "at a later date," but it did not set a definitive timeline.

Although Adobe patched the newest versions of Reader and Acrobat, the vulnerability is ultimately Microsoft Corp.'s responsibility. The software vendor owned up to that two weeks ago, saying that it would patch common protocol handlers such as "mailto:" in Windows XP and Windows Server 2003.

Only users running the Internet Explorer 7 browser on Windows XP or Windows Server 2003 are vulnerable to the PDF exploit.

Adobe's security bulletin includes links to the Adobe Reader and Acrobat updates.